Friday, September 25, 2015

TLS/SSL - Does SNI Have a Limit on Number of Domains Running on Nginx?


SNI (Server Name Indication) is an extension to the TLS/SSL protocol, allowing the webserver to serve multiple domains on the same IP, all with different SSL server certificates. SNI discovers the SSL certificate appropriate for the domain/URL they are asking for. Before SNI, all vhosts listening on the same IP & port had to be presented with the same SSL certificate.




Anyone know if there's a limit to the number of domains that I can have serving on the same IP?




With standard http, there is no limit. I just specify a different vhost for each domain, and the webserver matches the client's "Host:" header to the matching server_name or server_alias vhost. SNI works similarly, but matches SSL certificates and there could be hundreds on one IP. I wonder if anyone knows if SNI has a limit or performs slowly with hundreds of certificates on the same IP.

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...